@@ -25,31 +25,64 @@ def get(self):
2525 if key [- 2 :]== "[]" :
2626 rsp = self ._query_array (key )
2727 else :
28- rsp = self ._query_one (key )
28+ rsp = self ._get_one (key )
2929 if rsp : return rsp
3030
3131 return json (self .rdict )
3232
33- def _query_one (self ,key ):
33+ def _get_one (self ,key ):
3434 modelname = key
35+ params = self .request_data [key ]
36+
3537 try :
3638 model = getattr (models ,modelname )
37- model_setting = settings .APIJSON_MODEL .get (modelname ,{})
39+ model_setting = settings .APIJSON_MODELS .get (modelname ,{})
3840 except ModelNotFound as e :
3941 log .error ("try to find model '%s' but not found: '%s'" % (modelname ,e ))
4042 return json ({"code" :400 ,"msg" :"model '%s' not found" % (modelname )})
4143 model_column_set = None
4244 q = model .all ()
43- public = model_setting .get ("public" ,False )
45+ rbac_get = model_setting .get ("rbac_get" ,{})
46+ if not rbac_get :
47+ return json ({"code" :401 ,"msg" :"'%s' not accessible by apijson" % (modelname )})
48+
49+ roles = rbac_get .get ("roles" )
50+ perms = rbac_get .get ("perms" )
51+ params_role = params .get ("@role" )
52+ permission_check_ok = False
53+ user_role = None
54+ if params_role :
55+ if params_role not in roles :
56+ return json ({"code" :401 ,"msg" :"'%s' not accessible by role '%s'" % (modelname ,params_role )})
57+ if functions .has_role (request .user ,params_role ):
58+ permission_check_ok = True
59+ user_role = params_role
60+ else :
61+ return json ({"code" :401 ,"msg" :"user doesn't have role '%s'" % (params_role )})
62+ if not permission_check_ok and roles :
63+ for role in roles :
64+ if functions .has_role (request .user ,role ):
65+ permission_check_ok = True
66+ user_role = role
67+ break
68+
69+ if not permission_check_ok and perms :
70+ for perm in perms :
71+ if functions .has_permission (request .user ,perm ):
72+ permission_check_ok = True
73+ break
74+
75+ if not permission_check_ok :
76+ return json ({"code" :401 ,"msg" :"no permission" })
77+
4478 filtered = False
45- if not public :
46- if not request .user :
47- return json ({"code" :401 ,"msg" :"'%s' not accessable for unauthorized request" % (modelname )})
79+
80+ if user_role == "OWNER" :
4881 owner_filtered ,q = self ._filter_owner (model ,model_setting ,q )
49- if owner_filtered :
50- filtered = True
51- else :
52- return json ({ "code" : 401 , "msg" : "'%s' not accessable because not public" % ( modelname )})
82+ if not owner_filtered :
83+ return json ({ "code" : 401 , "msg" : "'%s' cannot filter with owner" % ( modelname )})
84+ filtered = True
85+
5386 params = self .request_data [key ]
5487 if isinstance (params ,dict ):
5588 for n in params :
@@ -61,14 +94,9 @@ def _query_one(self,key):
6194 filtered = True
6295 else :
6396 return json ({"code" :400 ,"msg" :"'%s' have no attribute '%s'" % (modelname ,n )})
64- #default filter
97+ #default filter is trying to filter with owner
6598 if not filtered and request .user :
66- default_filter_by_self = model_setting .get ("default_filter_by_self" ,False )
67- if default_filter_by_self :
68- user_id_field = model_setting .get ("user_id_field" )
69- if user_id_field :
70- q = q .filter (getattr (model .c ,user_id_field )== request .user .id )
71- filtered = True
99+ owner_filtered ,q = self ._filter_owner (model ,model_setting ,q )
72100 o = q .one ()
73101 if o :
74102 o = o .to_dict ()
0 commit comments